· 6 years ago · Oct 14, 2019, 03:36 AM
1
2* ID: 5006
3* MalFamily: "AgentTesla"
4
5* MalScore: 10.0
6
7* File Name: "Exes_10c7cdc821291921a957b94b101524af.exe"
8* File Size: 70703
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "411e807faf4750e40a5b56a3ce49fe8d9aa164bb773837454079699267275eaa"
11* MD5: "10c7cdc821291921a957b94b101524af"
12* SHA1: "251a2fd3e4a68f55a44afa3a2a808421c3393c74"
13* SHA512: "f35edebd6201c86160125868e26e8115fdddcf688356ca03957af6fc3f8a3133bfce88a1b8181aac538b513a8ee15dc653fb4cb3da24da296718e6a66b0451ed"
14* CRC32: "BA7777BA"
15* SSDEEP: "1536:0KH8Alz/HB1u0cyLQVLX5CeEf0bto6P7Djo:ORWEFAHf4Rvc"
16
17* Process Execution:
18 "900HwFOqYZW3LOS.exe",
19 "900HwFOqYZW3LOS.exe",
20 "iexplore.exe",
21 "iexplore.exe",
22 "iexplore.exe",
23 "iexplore.exe"
24
25
26* Executed Commands:
27
28* Signatures Detected:
29
30 "Description": "Behavioural detection: Executable code extraction",
31 "Details":
32
33
34 "Description": "Possible date expiration check, exits too soon after checking local time",
35 "Details":
36
37 "process": "900HwFOqYZW3LOS.exe, PID 1480"
38
39
40
41
42 "Description": "Performs HTTP requests potentially not found in PCAP.",
43 "Details":
44
45 "url_ioc": "theindianexplorer.com:80//js/header.php"
46
47
48 "url_ioc": "theindianexplorer.com:80//js/header.php"
49
50
51 "url_ioc": "theindianexplorer.com:80//js/header.php"
52
53
54 "url_ioc": "theindianexplorer.com:80//js/header.php"
55
56
57
58
59 "Description": "Expresses interest in specific running processes",
60 "Details":
61
62 "process": "mscorsvw.exe"
63
64
65 "process": "armsvc.exe"
66
67
68
69
70 "Description": "Reads data out of its own binary image",
71 "Details":
72
73 "self_read": "process: 900HwFOqYZW3LOS.exe, pid: 1480, offset: 0x00000000, length: 0x0001142f"
74
75
76
77
78 "Description": "Behavioural detection: Injection (Process Hollowing)",
79 "Details":
80
81 "Injection": "900HwFOqYZW3LOS.exe(1480) -> 900HwFOqYZW3LOS.exe(788)"
82
83
84
85
86 "Description": "Executed a process and injected code into it, probably while unpacking",
87 "Details":
88
89 "Injection": "900HwFOqYZW3LOS.exe(1480) -> 900HwFOqYZW3LOS.exe(788)"
90
91
92
93
94 "Description": "Deletes its original binary from disk",
95 "Details":
96
97
98 "Description": "Behavioural detection: Injection (inter-process)",
99 "Details":
100
101
102 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
103 "Details":
104
105
106 "Description": "Installs itself for autorun at Windows startup",
107 "Details":
108
109 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\73f77769-6e60-46bf-8a5b-0ba3f31a8d8d"
110
111
112 "data": "C:\\Users\\user\\AppData\\Roaming\\wlpqe\\wlpqe.exe"
113
114
115 "key": "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\73f77769-6e60-46bf-8a5b-0ba3f31a8d8d"
116
117
118 "data": "C:\\Users\\user\\AppData\\Roaming\\wlpqe\\wlpqe.exe"
119
120
121 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\73f77769-6e60-46bf-8a5b-0ba3f31a8d8d"
122
123
124 "data": "C:\\Users\\user\\AppData\\Roaming\\wlpqe\\wlpqe.exe"
125
126
127
128
129 "Description": "Stack pivoting was detected when using a critical API",
130 "Details":
131
132 "process": "iexplore.exe:2264"
133
134
135
136
137 "Description": "File has been identified by 53 Antiviruses on VirusTotal as malicious",
138 "Details":
139
140 "MicroWorld-eScan": "Gen:Win32.ProcessHijack.em3@aqqTMwg"
141
142
143 "FireEye": "Generic.mg.10c7cdc821291921"
144
145
146 "CAT-QuickHeal": "Ransom.Cerber.VB3"
147
148
149 "McAfee": "Artemis!10C7CDC82129"
150
151
152 "Zillya": "Backdoor.Androm.Win32.20824"
153
154
155 "K7AntiVirus": "Riskware ( 0040eff71 )"
156
157
158 "Alibaba": "Trojan:Win32/Poxters.7063af42"
159
160
161 "K7GW": "Riskware ( 0040eff71 )"
162
163
164 "Cybereason": "malicious.821291"
165
166
167 "TrendMicro": "TROJ_GEN.R002C0GD119"
168
169
170 "Symantec": "ML.Attribute.HighConfidence"
171
172
173 "ESET-NOD32": "Win32/Poxters.E"
174
175
176 "APEX": "Malicious"
177
178
179 "Avast": "Win32:Malware-gen"
180
181
182 "ClamAV": "Win.Trojan.Agent-6322071-0"
183
184
185 "GData": "Gen:Win32.ProcessHijack.em3@aqqTMwg"
186
187
188 "Kaspersky": "HEUR:Trojan.Win32.Generic"
189
190
191 "BitDefender": "Gen:Win32.ProcessHijack.em3@aqqTMwg"
192
193
194 "NANO-Antivirus": "Trojan.Win32.Androm.dyfrjm"
195
196
197 "Paloalto": "generic.ml"
198
199
200 "AegisLab": "Trojan.Win32.Androm.m!c"
201
202
203 "Rising": "Malware.Undefined!8.C (TFE:3:sootUv9P42)"
204
205
206 "Ad-Aware": "Gen:Win32.ProcessHijack.em3@aqqTMwg"
207
208
209 "Sophos": "Mal/Generic-S"
210
211
212 "F-Secure": "Trojan.TR/Dropper.Gen"
213
214
215 "DrWeb": "Trojan.Packed.30552"
216
217
218 "VIPRE": "Trojan.Win32.Generic!BT"
219
220
221 "Invincea": "heuristic"
222
223
224 "McAfee-GW-Edition": "BehavesLike.Win32.Generic.kh"
225
226
227 "Trapmine": "malicious.moderate.ml.score"
228
229
230 "Emsisoft": "Gen:Win32.ProcessHijack.em3@aqqTMwg (B)"
231
232
233 "SentinelOne": "DFI - Malicious PE"
234
235
236 "Webroot": "W32.Trojan.Gen"
237
238
239 "Avira": "TR/Dropper.Gen"
240
241
242 "MAX": "malware (ai score=100)"
243
244
245 "Antiy-AVL": "TrojanBackdoor/Win32.Androm.haoo"
246
247
248 "Endgame": "malicious (high confidence)"
249
250
251 "Arcabit": "Gen:Win32.ProcessHijack.E9C695"
252
253
254 "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
255
256
257 "Microsoft": "Trojan:Win32/Bagsu!rfn"
258
259
260 "AhnLab-V3": "Trojan/Win32.Bagsu.C1230781"
261
262
263 "ALYac": "Gen:Win32.ProcessHijack.em3@aqqTMwg"
264
265
266 "VBA32": "Trojan.Bagsu"
267
268
269 "Cylance": "Unsafe"
270
271
272 "TrendMicro-HouseCall": "TROJ_GEN.R002C0GD119"
273
274
275 "Tencent": "Win32.Trojan.Generic.Dxnb"
276
277
278 "Yandex": "Backdoor.Androm!WOfC0a1nMGk"
279
280
281 "Ikarus": "Trojan.Win32.Poxters"
282
283
284 "Fortinet": "W32/Androm.E!tr.bdr"
285
286
287 "AVG": "Win32:Malware-gen"
288
289
290 "Panda": "Trj/Genetic.gen"
291
292
293 "CrowdStrike": "win/malicious_confidence_100% (W)"
294
295
296 "Qihoo-360": "HEUR/QVM20.1.Malware.Gen"
297
298
299
300
301 "Description": "Attempts to modify browser security settings",
302 "Details":
303
304
305 "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
306 "Details":
307
308 "target": "clamav:Win.Trojan.Agent-6322071-0, sha256:411e807faf4750e40a5b56a3ce49fe8d9aa164bb773837454079699267275eaa, type:PE32 executable (GUI) Intel 80386, for MS Windows"
309
310
311 "dropped": "clamav:Win.Trojan.Agent-6322071-0, sha256:411e807faf4750e40a5b56a3ce49fe8d9aa164bb773837454079699267275eaa , guest_paths:C:\\Users\\user\\AppData\\Roaming\\wlpqe\\wlpqe.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
312
313
314
315
316 "Description": "Creates a copy of itself",
317 "Details":
318
319 "copy": "C:\\Users\\user\\AppData\\Roaming\\wlpqe\\wlpqe.exe"
320
321
322
323
324 "Description": "Anomalous binary characteristics",
325 "Details":
326
327 "anomaly": "Actual checksum does not match that reported in PE header"
328
329
330
331
332
333* Started Service:
334
335* Mutexes:
336 "WindowsRemoteResilienceServiceMutex"
337
338
339* Modified Files:
340 "C:\\Users\\user\\AppData\\Local\\Temp\\900HwFOqYZW3LOS.exe",
341 "C:\\Users\\user\\AppData\\Roaming\\wlpqe\\wlpqe.exe"
342
343
344* Deleted Files:
345 "C:\\Users\\user\\AppData\\Local\\Temp\\900HwFOqYZW3LOS.exe"
346
347
348* Modified Registry Keys:
349 "HKEY_CURRENT_USER\\Software\\Resilience Software",
350 "HKEY_CURRENT_USER\\Software\\Resilience Software\\Digit",
351 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\73f77769-6e60-46bf-8a5b-0ba3f31a8d8d",
352 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\73f77769-6e60-46bf-8a5b-0ba3f31a8d8d",
353 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\73f77769-6e60-46bf-8a5b-0ba3f31a8d8d",
354 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations",
355 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations\\LowRiskFileTypes",
356 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806",
357 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806"
358
359
360* Deleted Registry Keys:
361
362* DNS Communications:
363
364 "type": "A",
365 "request": "theindianexplorer.com",
366 "answers":
367
368
369
370* Domains:
371
372 "ip": "107.6.177.202",
373 "domain": "theindianexplorer.com"
374
375
376
377* Network Communication - ICMP:
378
379* Network Communication - HTTP:
380
381* Network Communication - SMTP:
382
383* Network Communication - Hosts:
384
385* Network Communication - IRC: